In a statement published on its website, Dixons Carphone, a UK electronics retailer, has announced a data breach it previously reported affected 1.2 million users actually affected 10 million users.
In response, the Information Commissioner’s Office (ICO), the UK’s data protection authority, has announced Dixons Carphone has made them aware of the revised estimate and that its investigation is “ongoing”.
Dixons Carphone announced the breach on 13th June and at the time proclaimed 5.9 million payment cards and 1.2 million “personal records” were affected. The latest announcement revises the number of “personal records” affected.
“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.
“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated”.
If, as Dixons Carphone proclaims, the incident occurred in 2017, then it’s likely to fall under the provisions of The Data Protection Act 1998 not the General Data Protection Regulation (GDPR) or The Data Protection Act 2018, which only came into force earlier this year.
While organizations found in contravention of the GDPR can be fined upwards of 20 million EUR or 4 percent of annual revenue, whichever is higher, the maximum fine that can be issued under The Data Protection Act 1998 is £500,000.
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right,” said CEO Alex Baldock, in response to the revised estimate.
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us”.
According to its latest annual report, the group’s pre-tax profits fell from £500 million in 2017 to £382 million in 2018. Total revenue for 2018 was £10.5 billion.